The LDAP Connection Check tool is a command line tool that helps Ranger
administrators configure LDAP properties for the UserSync module. The tool collects
minimal input from the administrator about the LDAP/AD server and discovers various
properties for users and groups in order to successfully pull only targeted Users
and Groups from the LDAP/AD server. It provides options such as
discovering/verifying UserSync-related properties as well as authentication
properties, generating install properties for manual installation, etc. Once all of
the required properties have been discovered and tested, these properties can be
applied to the Ranger configuration during Ambari or non-Ambari cluster
installation.

The LDAP Connection tool can be accessed in the
/usr/hdp/current/ranger-usersync/ldaptool directory.

In order to discover the usersync and authentication related properties, the
LDAP Connection Check tool collects some mandatory information as part of the
input properties. These mandatory properties include:

Modify the input.properties file provided as part of the tool
installation and provide that file (with the complete path as the
command line argument while running the tool.

Use the CLI to input the values for these mandatory properties.

The CLI option is provided to the user when the input file is not provided as
the command line option (-i <arg>) while running the tool. Once the values
are collected from the CLI, these values are stored in the input.properties file
(in the conf dir of the installation folder) for later use.

The following is the CLI provided by the tool when input file is not
specified. The tool provides two options for collecting values for these
mandatory properties:

In order to use secure LDAP, the Java default truststore must be updated
with the server’s self signed certificate or the CA certificate for
validating the server connection. The truststore should be updated before
running the tool.

Usersync-related properties are divided into two categories: User search
related properties and group search related properties. This tool provides a
-d option to discover user related and group related properties
separately or all at once. The discover properties option is used as
follows:

./run.sh -d <arg>

where <arg> can be

all: discover all of the properties at once or

users: discover only user search related properties or

groups: discover only group search related
properties

These properties are discovered based on the values provided in the input file
for all of the mandatory properties.

The following are the user search related properties that are discovered using
this tool:

Basic properties:

ranger.usersync.ldap.user.objectclass

ranger.usersync.ldap.user.groupnameattribute

ranger.usersync.ldap.user.nameattribute

Advanced properties:

ranger.usersync.ldap.user.searchbase

ranger.usersync.ldap.user.searchfilter

Group search related properties that are discovered by this tool are as
follows:

Basic properties:

ranger.usersync.group.searchenabled

ranger.usersync.group.objectclass

ranger.usersync.group.memberattributename

ranger.usersync.group.nameattribute

Advanced properties:

ranger.usersync.group.searchbase

ranger.usersync.group.searchfilter

Once all of the properties are discovered, the tool also retrieves the total
count and details of first 20 users and/or groups and displays them in the
output.

The value for the user search base is derived as the OU with max. no
of users (from the first 20 users that are retrieved).

The value for the user search filter is derived as <user name
attribute>=*

The value for the group search base is derived as the OU with max. no
of groups (from the first 20 retrieved groups).

The value for the group search filter is derived as <group name
attribute>=*

The LDAP Connection Check tool provides a -noauth option to skip
discovery of authentication properties. When this option is used, the tool will
not suggest the values for authentication related properties.

./run.sh -noauth

If the LDAP server is of type active directory, the following properties are
suggested:

ranger.authentication.method

ranger.ldap.ad.domain

If the LDAP server is not an active directory, the following properties are
suggested:

ranger.authentication.method

ranger.ldap.user.dnpattern

ranger.ldap.group.roleattribute

ranger.ldap.group.searchbase

ranger.ldap.group.searchfilter

These authentication properties can be discovered either by providing the
values in the input file for only mandatory properties, or for all of the user
and/or group related properties. After discovering the authentication
properties, the tool also validates those properties by authenticating the given
user, and reports authentication success or failure in the output.

Usersync-related properties are divided into two categories: User search
related properties and group search related properties. This tool provides a
-d option to discover user related and group related properties
separately or all at once. The discover properties option is used as
follows:

./run.sh -r <arg>

where <arg> can be

users : retrieve the total count and details of the first
20 users and associated groups, given the user search related properties
in the input file.

groups : retrieve the total count and details of the
first 20 groups and associated users, given the group search related
properties in the input file.

all : retrieve both users and groups, given all of the
corresponding properties in the input file.

This tool generates three files in the output directory specified with the
-o option, or by default to the
/usr/hdp/current/ranger-usersync/ldaptool/output
directory.

ambari.properties

install.properties

ldapConfigCheck.log

All of the discovered properties (related to usersync and/or authentication)
are written to both the ambari.properties and install.properties files with the
corresponding property names.

All of the other information, such as any retrieved users/groups, total count,
authentication result, etc. are written to the ldapConfigCheck.log file. This
log file also contains any errors or warnings generated while running the
tool.